macaroon

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 28, 2019 License: AGPL-3.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Error is a general API Key error
	Error = errs.Class("api key error")
	// ErrFormat means that the structural formatting of the API Key is invalid
	ErrFormat = errs.Class("api key format error")
	// ErrInvalid means that the API Key is improperly signed
	ErrInvalid = errs.Class("api key invalid error")
	// ErrUnauthorized means that the API key does not grant the requested permission
	ErrUnauthorized = errs.Class("api key unauthorized error")
	// ErrRevoked means the API key has been revoked
	ErrRevoked = errs.Class("api key revocation error")
)

Functions

func NewSecret

func NewSecret() (secret []byte, err error)

NewSecret generates cryptographically random 32 bytes

Types

type APIKey

type APIKey struct {
	// contains filtered or unexported fields
}

APIKey implements a Macaroon-backed Storj-v3 API key.

func NewAPIKey

func NewAPIKey(secret []byte) (*APIKey, error)

NewAPIKey generates a brand new unrestricted API key given the provided server project secret

func ParseAPIKey

func ParseAPIKey(key string) (*APIKey, error)

ParseAPIKey parses a given api key string and returns an APIKey if the APIKey was correctly formatted. It does not validate the key.

func (*APIKey) Check

func (a *APIKey) Check(secret []byte, action Action, revoked [][]byte) error

Check makes sure that the key authorizes the provided action given the root project secret and any possible revocations, returning an error if the action is not authorized. 'revoked' is a list of revoked heads.

func (*APIKey) Head

func (a *APIKey) Head() []byte

Head returns the identifier for this macaroon's root ancestor.

func (*APIKey) Restrict

func (a *APIKey) Restrict(caveat Caveat) (*APIKey, error)

Restrict generates a new APIKey with the provided Caveat attached.

func (*APIKey) Serialize

func (a *APIKey) Serialize() string

Serialize serializes the API Key to a string

func (*APIKey) Tail

func (a *APIKey) Tail() []byte

Tail returns the identifier for this macaroon only.

type Action

type Action struct {
	Op            ActionType
	Bucket        []byte
	EncryptedPath []byte
	Time          time.Time
}

Action specifies the specific operation being performed that the Macaroon will validate

type ActionType

type ActionType int

ActionType specifies the operation type being performed that the Macaroon will validate

const (

	// ActionRead specifies a read operation
	ActionRead ActionType
	// ActionWrite specifies a read operation
	ActionWrite
	// ActionList specifies a read operation
	ActionList
	// ActionDelete specifies a read operation
	ActionDelete
)

type Caveat

type Caveat struct {
	// if any of these three are set, disallow that type of access
	DisallowReads   bool           `protobuf:"varint,1,opt,name=disallow_reads,json=disallowReads,proto3" json:"disallow_reads,omitempty"`
	DisallowWrites  bool           `protobuf:"varint,2,opt,name=disallow_writes,json=disallowWrites,proto3" json:"disallow_writes,omitempty"`
	DisallowLists   bool           `protobuf:"varint,3,opt,name=disallow_lists,json=disallowLists,proto3" json:"disallow_lists,omitempty"`
	DisallowDeletes bool           `protobuf:"varint,4,opt,name=disallow_deletes,json=disallowDeletes,proto3" json:"disallow_deletes,omitempty"`
	AllowedPaths    []*Caveat_Path `protobuf:"bytes,10,rep,name=allowed_paths,json=allowedPaths,proto3" json:"allowed_paths,omitempty"`
	// if set, the validity time window
	NotAfter  *time.Time `protobuf:"bytes,20,opt,name=not_after,json=notAfter,proto3,stdtime" json:"not_after,omitempty"`
	NotBefore *time.Time `protobuf:"bytes,21,opt,name=not_before,json=notBefore,proto3,stdtime" json:"not_before,omitempty"`
	// nonce is set to some random bytes so that you can make arbitrarily
	// many restricted macaroons with the same (or no) restrictions.
	Nonce                []byte   `protobuf:"bytes,30,opt,name=nonce,proto3" json:"nonce,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func NewCaveat added in v0.12.0

func NewCaveat() (Caveat, error)

NewCaveat returns a Caveat with a random generated nonce.

func (*Caveat) Allows

func (c *Caveat) Allows(action Action) bool

Allows returns true if the provided action is allowed by the caveat.

func (*Caveat) Descriptor

func (*Caveat) Descriptor() ([]byte, []int)

func (*Caveat) GetAllowedPaths added in v0.12.0

func (m *Caveat) GetAllowedPaths() []*Caveat_Path

func (*Caveat) GetDisallowDeletes

func (m *Caveat) GetDisallowDeletes() bool

func (*Caveat) GetDisallowLists

func (m *Caveat) GetDisallowLists() bool

func (*Caveat) GetDisallowReads

func (m *Caveat) GetDisallowReads() bool

func (*Caveat) GetDisallowWrites

func (m *Caveat) GetDisallowWrites() bool

func (*Caveat) GetNonce added in v0.12.0

func (m *Caveat) GetNonce() []byte

func (*Caveat) GetNotAfter

func (m *Caveat) GetNotAfter() *time.Time

func (*Caveat) GetNotBefore

func (m *Caveat) GetNotBefore() *time.Time

func (*Caveat) ProtoMessage

func (*Caveat) ProtoMessage()

func (*Caveat) Reset

func (m *Caveat) Reset()

func (*Caveat) String

func (m *Caveat) String() string

func (*Caveat) XXX_DiscardUnknown

func (m *Caveat) XXX_DiscardUnknown()

func (*Caveat) XXX_Marshal

func (m *Caveat) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat) XXX_Merge

func (m *Caveat) XXX_Merge(src proto.Message)

func (*Caveat) XXX_Size

func (m *Caveat) XXX_Size() int

func (*Caveat) XXX_Unmarshal

func (m *Caveat) XXX_Unmarshal(b []byte) error

type Caveat_Path added in v0.12.0

type Caveat_Path struct {
	Bucket               []byte   `protobuf:"bytes,1,opt,name=bucket,proto3" json:"bucket,omitempty"`
	EncryptedPathPrefix  []byte   `protobuf:"bytes,2,opt,name=encrypted_path_prefix,json=encryptedPathPrefix,proto3" json:"encrypted_path_prefix,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

If any entries exist, require all access to happen in at least one of them.

func (*Caveat_Path) Descriptor added in v0.12.0

func (*Caveat_Path) Descriptor() ([]byte, []int)

func (*Caveat_Path) GetBucket added in v0.12.0

func (m *Caveat_Path) GetBucket() []byte

func (*Caveat_Path) GetEncryptedPathPrefix added in v0.12.0

func (m *Caveat_Path) GetEncryptedPathPrefix() []byte

func (*Caveat_Path) ProtoMessage added in v0.12.0

func (*Caveat_Path) ProtoMessage()

func (*Caveat_Path) Reset added in v0.12.0

func (m *Caveat_Path) Reset()

func (*Caveat_Path) String added in v0.12.0

func (m *Caveat_Path) String() string

func (*Caveat_Path) XXX_DiscardUnknown added in v0.12.0

func (m *Caveat_Path) XXX_DiscardUnknown()

func (*Caveat_Path) XXX_Marshal added in v0.12.0

func (m *Caveat_Path) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat_Path) XXX_Merge added in v0.12.0

func (m *Caveat_Path) XXX_Merge(src proto.Message)

func (*Caveat_Path) XXX_Size added in v0.12.0

func (m *Caveat_Path) XXX_Size() int

func (*Caveat_Path) XXX_Unmarshal added in v0.12.0

func (m *Caveat_Path) XXX_Unmarshal(b []byte) error

type Macaroon

type Macaroon struct {
	// contains filtered or unexported fields
}

Macaroon is a struct that determine contextual caveats and authorization

func NewUnrestricted

func NewUnrestricted(secret []byte) (*Macaroon, error)

NewUnrestricted creates Macaroon with random Head and generated Tail

func ParseMacaroon

func ParseMacaroon(data []byte) (*Macaroon, error)

ParseMacaroon converts binary to macaroon

func (*Macaroon) AddFirstPartyCaveat

func (m *Macaroon) AddFirstPartyCaveat(c []byte) (macaroon *Macaroon, err error)

AddFirstPartyCaveat creates signed macaroon with appended caveat

func (*Macaroon) CaveatLen

func (m *Macaroon) CaveatLen() int

CaveatLen returns the number of caveats this macaroon has

func (*Macaroon) Caveats

func (m *Macaroon) Caveats() (caveats [][]byte)

Caveats returns copy of macaroon caveats

func (*Macaroon) Copy

func (m *Macaroon) Copy() *Macaroon

Copy return copy of macaroon

func (*Macaroon) Head

func (m *Macaroon) Head() (head []byte)

Head returns copy of macaroon head

func (*Macaroon) Serialize

func (m *Macaroon) Serialize() (data []byte)

Serialize converts macaroon to binary format

func (*Macaroon) Tail

func (m *Macaroon) Tail() (tail []byte)

Tail returns copy of macaroon tail

func (*Macaroon) Tails

func (m *Macaroon) Tails(secret []byte) [][]byte

Tails returns all ancestor tails up to and including the current tail

func (*Macaroon) Validate

func (m *Macaroon) Validate(secret []byte) (ok bool)

Validate reconstructs with all caveats from the secret and compares tails, returning true if the tails match

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL